1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom
The Mini Shai-Hulud supply chain attack targeted popular software packages in the PyPi, NPM, and PHP ecosystems, including Lightning, intercom-client, and intercom-php. Malicious versions of these packages were injected with information-stealing malware that harvested credentials, keys, tokens, and other secrets from infected machines. The stolen data was exfiltrated to GitHub repositories with a distinctive marker. Over 1,800 developers were impacted, with the compromised packages having millions of downloads. The attack also included mechanisms to retrieve commands from GitHub and scan for Kubernetes and Vault secrets. This campaign is linked to the TeamPCP hacking group and continues a previous Shai-Hulud attack from late 2025. No patch or remediation information is provided in the source content.
AI Analysis
Technical Summary
The Mini Shai-Hulud attack is a supply chain compromise affecting multiple ecosystems (PyPi, NPM, Packagist) by injecting information-stealing malware into widely used packages such as Lightning (PyPi), intercom-client (NPM), and intercom-php (Packagist). The malware collects sensitive credentials, tokens, and secrets from infected environments, including cloud service keys, database strings, private keys, and session data. It exfiltrates data to GitHub repositories and uses dynamic fallback mechanisms to receive commands. The attack targets developer machines and environments, leveraging dependencies to propagate. It is attributed to the TeamPCP group and represents a continuation of earlier Shai-Hulud supply chain attacks. The compromised package versions include Lightning 2.6.2 and 2.6.3, intercom-client 7.0.4 and 7.0.5, and intercom-php 5.0.2. No official patch or remediation guidance is mentioned.
Potential Impact
The attack compromises developer environments by stealing a wide range of sensitive credentials and secrets, potentially enabling further unauthorized access to cloud services, code repositories, databases, and communication platforms. Over 1,800 developers and numerous repositories have been affected, increasing the risk of widespread credential exposure and downstream supply chain contamination. The malware's ability to scan for Kubernetes and Vault secrets further elevates the risk to cloud-native infrastructure security. The high download counts of the affected packages amplify the potential impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisories for Lightning, intercom-client, and intercom-php packages for current remediation guidance. Until official fixes are available, developers should consider auditing their dependencies, removing or replacing affected package versions (Lightning 2.6.2/2.6.3, intercom-client 7.0.4/7.0.5, intercom-php 5.0.2), and rotating any potentially exposed credentials and secrets. Monitoring for suspicious GitHub repositories or commits containing the attack markers may assist in detection. Follow updates from package maintainers and security firms for remediation.
1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom
Description
The Mini Shai-Hulud supply chain attack targeted popular software packages in the PyPi, NPM, and PHP ecosystems, including Lightning, intercom-client, and intercom-php. Malicious versions of these packages were injected with information-stealing malware that harvested credentials, keys, tokens, and other secrets from infected machines. The stolen data was exfiltrated to GitHub repositories with a distinctive marker. Over 1,800 developers were impacted, with the compromised packages having millions of downloads. The attack also included mechanisms to retrieve commands from GitHub and scan for Kubernetes and Vault secrets. This campaign is linked to the TeamPCP hacking group and continues a previous Shai-Hulud attack from late 2025. No patch or remediation information is provided in the source content.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Mini Shai-Hulud attack is a supply chain compromise affecting multiple ecosystems (PyPi, NPM, Packagist) by injecting information-stealing malware into widely used packages such as Lightning (PyPi), intercom-client (NPM), and intercom-php (Packagist). The malware collects sensitive credentials, tokens, and secrets from infected environments, including cloud service keys, database strings, private keys, and session data. It exfiltrates data to GitHub repositories and uses dynamic fallback mechanisms to receive commands. The attack targets developer machines and environments, leveraging dependencies to propagate. It is attributed to the TeamPCP group and represents a continuation of earlier Shai-Hulud supply chain attacks. The compromised package versions include Lightning 2.6.2 and 2.6.3, intercom-client 7.0.4 and 7.0.5, and intercom-php 5.0.2. No official patch or remediation guidance is mentioned.
Potential Impact
The attack compromises developer environments by stealing a wide range of sensitive credentials and secrets, potentially enabling further unauthorized access to cloud services, code repositories, databases, and communication platforms. Over 1,800 developers and numerous repositories have been affected, increasing the risk of widespread credential exposure and downstream supply chain contamination. The malware's ability to scan for Kubernetes and Vault secrets further elevates the risk to cloud-native infrastructure security. The high download counts of the affected packages amplify the potential impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisories for Lightning, intercom-client, and intercom-php packages for current remediation guidance. Until official fixes are available, developers should consider auditing their dependencies, removing or replacing affected package versions (Lightning 2.6.2/2.6.3, intercom-client 7.0.4/7.0.5, intercom-php 5.0.2), and rotating any potentially exposed credentials and secrets. Monitoring for suspicious GitHub repositories or commits containing the attack markers may assist in detection. Follow updates from package maintainers and security firms for remediation.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/1800-hit-in-mini-shai-hulud-attack-on-sap-lightning-intercom/","fetched":true,"fetchedAt":"2026-05-01T07:36:22.034Z","wordCount":1026}
Threat ID: 69f457f6cbff5d861086a5e3
Added to database: 5/1/2026, 7:36:22 AM
Last enriched: 5/1/2026, 7:36:33 AM
Last updated: 5/1/2026, 9:06:37 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.